You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Christopher Elkins <ce...@scardini.com> on 2000/07/20 23:06:08 UTC

Fw: [LoWNOISE] Tomcat 3.1 Path Revealing Problem.

Hi, all.

This message was recently posted to the Bugtraq mailing list. I am forwarding it
here for those who don't monitor said list. If this problem is no longer
relevant, please disregard.

--
Christopher Elkins


----- Original Message -----
From: "ET LoWNOISE" <et...@CYBERSPACE.ORG>
To: <BU...@SECURITYFOCUS.COM>
Sent: Wednesday, July 19, 2000 3:45 PM
Subject: [LoWNOISE] Tomcat 3.1 Path Revealing Problem.


> [LoWNOISE] Tomcat 3.1 Path Revealing Problem.
>
>
> ====PRODUCT:
> Release Build 3.1 of Tomcat from Apache Software Foundation.
> Tomcat is the combined JSP 1.1 and Servlets 2.2 reference
> implementation being developed under the Apache process.
>
> http://jakarta.apache.org
>
> ====PROBLEM:
> Path Revealing Problem0.
>
> http://narco.guerrilla.sucks.co:8080/anything.jsp
>
>   Error: 404
>   Location: /anything.jsp
>
>   JSP file "/appsrv2/jakarta-tomcat/webapps/ROOT/anything.jsp" not found
>
> ====
> Efrain 'ET' Torres
> et@cyberspace.org
>
> [LoWNOISE] Colombia 2000
>
>

Re: Fw: [LoWNOISE] Tomcat 3.1 Path Revealing Problem.

Posted by Costin Manolache <co...@eng.sun.com>.

Christopher Elkins wrote:

> Hi, all.
>
> This message was recently posted to the Bugtraq mailing list. I am forwarding it
> here for those who don't monitor said list. If this problem is no longer
> relevant, please disregard.

It's relevant, and it's just one part of the problem.

Tomcat also sends full stack traces on errors, and that reveals a lot about the
software that runs on tomcat.

Costin